DSA-2019-089: Dell EMC Server Platform Security Advisory for Intel-SA-00233

DSA Identifier: DSA-2019-089

CVE Identifier: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Severity: Medium

Severity Rating: CVSS v3 Base Score: See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Affected products:  
Dell EMC Servers (see Resolution section below for complete list of affected products)

Summary:  
Dell EMC Servers require a security update to address the Intel Microarchitectural Data Sampling Vulnerabilities.

Details:  
Updates will be available to address the following security vulnerabilities.

Intel-SA-00233: Intel Microarchitectural Data Sampling Vulnerabilities

• CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a particular CVE, use the database’s search utility at http://web.nvd.nist.gov/view/vuln/search.

Resolution:      
The following is a list of impacted products and expected release dates. Dell recommends all customers update at the earliest opportunity.
There are two essential components that need to be applied to mitigate the above-mentioned vulnerabilities:

1. Apply the BIOS update listed in the Dell EMC Server Affected section below.
2. Apply the applicable operating system patch. This is required to mitigate the Intel-SA-00233 related vulnerabilities.  

We encourage customers to review Intel’s Security Advisory for information, including appropriate identification and mitigation measures.

Please visit the Drivers and Downloads site for updates on the applicable products.  Note, the following list of impacted products with released BIOS updates are linked. To learn more, visit the Dell Knowledge Base article Update a Dell PowerEdge Driver or Firmware Directly from the OS (Windows and Linux), and download the update for your Dell computer.

Customers may use one of the Dell notification solutions to be notified and download driver, BIOS and firmware updates automatically once available.

Additional References:

• Software Security Guidance for developers:https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling
• Intel Security First – MDS Page: https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html
• Intel Security Center: https://security-center.intel.com
• AMD response to CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 (Fallout and Rogue In-Flight Data Load (RIDL)): https://www.amd.com/en/corporate/product-security
• VMware: https://www.vmware.com/security/advisories/VMSA-2019-0008.html
• Microsoft: https://support.microsoft.com/en-us/help/4457951/windows-guidance-to-protect-against-speculative-execution-side-channel
• Red Hat: https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it
• SuSe: https://www.suse.com/security/cve/CVE-2018-12126/
• Ubuntu: https://blog.ubuntu.com/2019/05/14/ubuntu-updates-to-mitigate-new-microarchitectural-data-sampling-mds-vulnerabilities

 

 

Dell EMC Server Products Affected

Product	BIOS Update Version (or greater)	Release Date/ Expected Release Date  (MM/DD/YYYY)
R640, R740, R740XD, R940, NX3240, NX3340	2.2.10	05/30/2019
XC740XD, XC640, XC940	2.2.10	05/31/2019
R540, R440, T440, XR2	2.2.9	05/31/2019
R740XD2	2.2.9	05/31/2019
R840, R940xa	2.2.10	05/31/2019
T640	2.2.9	05/31/2019
C6420, XC6420	2.2.9	05/31/2019
FC640, M640, M640P	2.2.9	05/31/2019
MX740C	2.2.9	05/31/2019
MX840C	2.2.9	05/31/2019
C4140	2.2.9	05/31/2019
T140, T340, R240, R340, NX440	1.2.0	05/31/2019
DSS9600, DSS9620, DS9630	2.2.10	05/31/2019

 

R830	1.10.5	09/10/2019
T130, R230, T330, R330, NX430	2.7.1	09/10/2019
R930	2.7.2	10/2019
R730, R730XD, R630	2.10.5	09/18/2019
NX3330, NX3230, DSMS630, DSMS730	2.10.5	09/10/2019
XC730, XC703XD, XC630	2.10.5	09/2019
C4130	2.10.5	09/06/2019
M630, M630P, FC630	2.10.5	09/06/2019
FC430	2.10.5	09/07/2019
M830, M830P, FC830	2.10.5	09/06/2019
T630	2.10.5	09/10/2019
R530, R430, T430	2.10.5	09/10/2019
XC430, XC430Xpress	2.10.5	09/10/2019
R530XD	1.10.5	09/19/2019
C6320	2.10.5	09/10/2019
XC6320	2.10.5	09/10/2019
C6320P	2.2.0	09/10/2019
T30	1.1.0	09/10/2019
DSS1500, DSS1510, DSS2500	2.10.3	06/27/2019
DSS7500	2.10.3	09/2019

 

R920	1.9.0	10/1/2019
R820	2.6.0	09/24/2019
R520	2.7.0	09/19/2019
R420	2.7.0	09/19/2019
R320, NX400	2.7.0	09/19/2019
T420	2.7.0	09/19/2019
T320	2.7.0	09/19/2019
R220	1.11.0	09/25/2019
R720, R720XD, NX3200, XC720XD	2.8.0	10/1/2019
R620, NX3300	2.8.0	09/09/2019
M820	2.8.0	09/09/2019
M620	2.8.0	09/09/2019
M520	2.8.0	09/09/2019
M420	2.8.0	09/09/2019
T620	2.8.0	09/19/2019
T20	A20	09/06/2019
C5230	1.5.0	09/19/2019
C6220	2.5.7	09/19/2019
C6220II	2.10.0	09/19/2019
C8220, C8220X	2.10.0	09/19/2019

Severity Rating:  

For an explanation of Severity Ratings, refer to Dell’s Vulnerability Disclosure Policy. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

Legal Information:

Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.